Prior art methods of computer and internet security such as cryptographic processes, tokens, dongles, so-called “uncopyable media,” and various executable software protection schemes fail to prevent identity fraud. Such methods are incapable of ensuring that the person or entity at each end of a transaction is who he says he is. Because of the anonymous nature of the internet, the security of e-commerce-related information and transactions is a serious problem. At the center of the problem are those individuals who steal other persons' identities so as to perform fraud, pranks, vandalism, espionage and other illegitimate activities. Thus, the predominant internet security issue is identity authentication.
While authentication takes various forms, authentication of individuals is particularly desirable. Authentication is directed to verifying that the individual seeking access to and/or through a server is in fact who that individual claims to be, and not an impersonator. This authentication relies on verification being performed at or above a predetermined minimum level of confidence. At the same time, authentication is generally an early hurdle that the individual must clear to conduct internet transactions with the server.
The traditional method for authenticating individuals has relied on secret passwords. Password-only authentication can be implemented entirely in software. However, password-only authentication has a number of disadvantages. For example, a password's viability is enhanced, among other ways, by increasing its length, by controlling its composition and by it being frequently changed. This, however, is cumbersome and, additionally, passwords can be lost or stolen, particularly written passwords. Passwords can be inadvertently disclosed to crackers via various ploys, such as observing the password's entry on a keyboard. Moreover, passwords can be intercepted as they are transported from the user to the desired server. Consequently, password-only authentication fails to provide adequate security.
Internet-based applications are flooding into areas that can benefit from enhanced security. Examples of such web-based applications include commercial transactions (e.g., loans and the purchase and sale of goods), banking transactions (e.g., electronic funds transfer), and medical transactions (e.g., provision of medical records in emergency situations). The internet is redefining commerce by eliminating the constraints of time and distance. World internet commerce sales are projected to reach between $1.7 and $3.5 trillion by the year 2003 (Source: Forrester Research, Inc.). Identity information and the authentication thereof will drive this explosion. However, many are uncomfortable with the current privacy protections. Although the Merchant's Association reports that e-business is growing by 200% annually, only about 5% of consumers visiting a website actually make purchases. The primary reason for this discrepancy is consumers' concern about privacy and online security. Has Business Accepted the Self-Regulation Challenge? Federal Trade Commissioner Mozelle Thompson, Privacy in American Business, Fifth Annual Conference Journal (February/March 1999). Moreover, a recent Business Week/Harris Poll confirms that almost two-thirds of non-internet users would be more likely to start using the internet if the privacy of their personal information and communications would be protected, and that privacy was the primary reason individuals are choosing to stay off the internet, coming in well ahead of cost, concerns with complicated technology, and unsolicited commercial e-mail. Business Week/Harris Poll on Online Insecurity, Lewis Harris & Associates, Inc., New York, March 1998.
Additionally, a 1996 Harris Poll reported that 24% of Americans have personally experienced a privacy invasion, which is up from 19% in 1978. The same survey found that 80% of Americans felt that consumers have lost all control over how personal information about them is circulated and used by third parties. Equifax/Harris Consumer Privacy Survey, Lewis Harris & Associates Inc., New York, February 1996. Indeed, such fears have been confirmed by actual incidences of identity theft reported by the media. See, e.g., Hacker Discloses 350,000 Numbers: Web Retailer's Credit Security Breached, Chicago Tribune, Business, p. 1 (Jan. 11, 2000); Doubts Triggered Over Web Shopping, Assoc. Press, Jan. 20, 2000 (A “19-year-old Russian” claimed to have stolen 300,000 credit card numbers by exploiting a flaw in CD Universe's System). Accordingly, there is an acute need in the art for a system and method for verifying identity which goes beyond known systems and methods where a user's submitted identity information is not cross-checked against a database of identity information to halt fraud and/or determine the likelihood of an attempt to use fraudulent information.
Obviously, there is a multitude of instances where it is necessary to verify that an individual requesting access to a service, an e-commerce transaction, or a facility is in fact authorized to access the service, execute the transaction or enter the facility. For example, such services include banking services, or telephone services, while the facilities may be for example banks, laboratories, computer systems, or database systems. In such situations, users typically have to write down, present a card, type or key in certain information in order to send an order, make a request, obtain a service, perform a transaction, transmit a message, or enter a facility. Verification or authentication of a customer prior to obtaining access to such services or facilities typically relies essentially on the customer's knowledge of passwords or personal identification numbers (PINs), possession of a card or token, or by the customer interfacing with a remote operator who verifies the customer's knowledge of information such as name, address, Social Security number, city or date of birth, mother's maiden name, etc. In some special transactions, handwriting recognition or signature verification is also employed.
However, such conventional techniques present many drawbacks. First, information typically used to verify a user's identity may be lost or stolen and, with existing technology, a criminal may find it easy to obtain such personal information such as the Social Security number, mother's maiden name or date of birth of his intended target. The shortcomings inherent with the conventional security measures have prompted an increasing interest in biometric security technology, i.e., verifying a person's identity by personal biological characteristics, such as voice printing, finger printing, iris scans, etc. However, even with biometric systems of the prior art, no attempt is made to cross-reference the user's alphanumeric identity data (i.e., name, address, Social Security number, etc.) against a database of identities which can determine, to a high degree of certainty, whether the alphanumeric identity data being offered with the biometric identity data is suspicious and/or subject to fraud. Without such cross-checking, a criminal submitting a biometric exemplar together with stolen alphanumeric identity data cannot be recognized as the fraud that he is by the anonymous computer systems which are so prevalent today.
Accordingly, a need exists for improved network and internet-based systems and methods to verify identities.